CVE-2026-49434
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk47th percentile — higher than 47% of all known CVEs
Summary
An improper input validation vulnerability in Apache ActiveMQ allows an attacker with LDAP access to instantiate denied transports within the broker JVM. This can be exploited to fetch a malicious URL and spawn a second BrokerService in the same JVM.
Risk Assessment
The risk includes potential remote code execution or privilege escalation within the ActiveMQ server, leading to compromise of the broker and breach of message confidentiality and integrity.
Recommendation
Upgrade Apache ActiveMQ to version 5.19.8 or 6.2.7 immediately, as these versions contain the fix for this vulnerability.
Original NVD description (English source)
Improper Input Validation vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. An attacker that has access to publish or modify entries in LDAP that match the configured searchBase and searchFilter can instantiate denied transports inside the broker JVM. This can be used to fetch an attacker URL and spawn a second BrokerService inside the same JVM. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

